I have to trying always for Perl, .htaccess and httppd.conf with different Username and Password from LDAP Search. But it it out of all recognition for username and password. Maybe I am wrong for programmer or what?
Perl:
Package:
use Net::LDAP;
use Net::LDAP::Extension::SetPassword;
Function:
my $ldapserver="ldap.server.com";
my $dn="CN=Company IT,OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com";
my $ldap = Net::LDAP->new( $ldapserver, debug =>0 ) or die $#;
my $result = $ldap->bind( $dn, password => password );
#$result->SetPassword('user');
$result = $ldap->search(
base => "OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com",
filter => "(mailNickname="*")"
httpd:
<Directory "/opt/csw/apache2/share/cgi-bin">
SetEnv LD_LIBRARY_PATH "/opt/csw/apache2/lib:/opt/oracle/product/11.2.0.4/instantclient_11g"
AddHandler cgi-script .cgi .pl .py
AllowOverride Options
Options +ExecCGI
Order allow,deny
Allow from all
AuthName "Enter Your Network Username/Password"
AuthType Basic
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthLDAPURL ldap://ldap.server.com
AuthLDAPBindDN "CN=Company IT,OU=Standard Users,OU=Users,OU=Company IT AG,OU=Prod,DC=server,DC=server,DC=com"
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute mailNickname
require valid-user
</Directory>
htaccess:
AuthName "Enter Your Network Username/Password"
AuthType Basic
Options +ExecCGI
AuthBasicProvider ldap
AuthBasicAuthoritative off
AuthLDAPURL ldap://ldap.server.com
AuthLDAPBindDN "CN=Company IT,OU=Standard Users,OU=Users,OU=compant IT AG,OU=Prod,DC=server,DC=server,DC=com"
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute mailNickname
require valid-user
AuthLDAPBindDN must be the user to consult the ldap, AuthLDAPURL must be not only the ldap server but the entire LDAP patch Active Directory. Like
AuthLDAPBindDN "userldap#domain"
AuthLDAPURL "ldap://ldap.server.com/OU=Standard Users,OU=Users,OU=compant IT AG,OU=Prod,DC=server,DC=server,DC=com?sAMAccountName?sub?(objectClass=*)"
Related
I have install thruk 3.0 and naemon. I following the instrutions on
https://www.thruk.org/documentation/install-webserver.html
I am using ldap not active directory.
from my truck log
login failed for jprouty on /thruk/ from 10.17.74.37
my apache error logs shows
user jprouty not found: /thruk/cgi-bin/restricted.cgi
<Location /thruk/>
Options ExecCGI FollowSymLinks
AuthName "Thruk Monitoring"
AuthType Basic
#leagacy file authentication first, then ldap
AuthBasicProvider file ldap
AuthUserFile /etc/thruk/htpasswd
#ldap
AuthLDAPURL "ldap://ipa.domain.com/cn=users,cn=accounts,dc=domain,dc=com?uid?sub?(memberOf=cn=monitoring,cn=groups,cn=accounts,dc=domain,dc=com)"
AuthLDAPBindDN "uid=httpbind,cn=sysaccounts,cn=etc,dc=domain,dc=com"
AuthLDAPBindPassword "XXXXXXXX"
AuthLDAPRemoteUserAttribute uid
Require valid-user
I have tested with ldapsearch and able to connect with user/password
did a tcpdump and see the ldap sending
freeBSD 11.3, apache 24 with mod_ldap, mod_authz_ldap loaded in http.conf
here is the configuration for ldap in http.conf
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
Order deny,allow
Deny from all
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>
For apapche 22, this configuration works fine, but for apache 24, when user tries to access the site, it shows forbidden (403 error), without prompting user the login popup. User has no chance to login.
This apache 24 server can connect to ldap server in the shell for user authentication. The problem is apache 24 doesn't prompt user login when user tries to access the site.
here are the configuration works for apache 24
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/CA.pem
LDAPTrustedMode SSL
< Directory />
AuthLDAPURL ldaps://ldap.jackyu.org/dc=jackyu,dc=org?uid
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPBindDN cn=pamclient,ou=SystemAdmin,dc=jackyu,dc=org
AuthLDAPBindPassword xyz
AuthType basic
AuthName "Secure Access"
AuthBasicProvider ldap
Require ldap-group cn=family,ou=group,dc=jackyu,dc=org
AllowOverride None
# Order deny,allow (this is removed in apache 24)
# Deny from all (this is removed in apache 24)
# AuthzLDAPAuthoritative on (this is removed in apache 24)
< /Directory>
This is my LDAP configuration in Apache2.2.x
Order deny,allow
AuthType Basic
AuthName "Test"
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc1.domain.com:389/DC=domain,DC=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=Administrator,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "secret"
authzldapauthoritative Off
require valid-user
When i load the page i get the pop up for password en username.
But when i fill them in i get an internal server error.
If i look in the error log of apache is see no new errors.
If i change my BindPassword to something wrong i get errors in my /var/log/apache2/error.log
Pulling my hair out!
Try to set "REFERRALS off" in /etc/ldap/ldap.conf.
Problem: I have some files under /var/www/files/ that I want them to be accessed from specific IP addresses WITHOUT requiring user/password. However, I would like that any other IP address SHOULD require login to gain access.
This is in my httpd.conf:
<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require user valid-user
</Directory>
But, if I understood correctly, this means that any client coming from 192.168.* will have access to that directory BUT will require a valid-user to view its content. And any other IP address will be denied. right?
Thank you in advance.
This is how it's done for Apache 2.4+ (since Satisfy Any is no longer supported).
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 22.33.44.55
Require valid-user
</RequireAny>
</Directory>
If you want to require both IP address -and- Login/Password, change <RequireAny> to <RequireAll>
I hope this helps someone - as it took me a while to figure it out.
edit: this may be accepted answer, but old. For new Apache installs, use Brians answer here
Add this: Satisfy Any (which means either of those 2 should be passed).
And the syntax is either:
Require valid-user
Or:
Require user <userid>
If your server is behind a proxy, you can't rely on the Require ip directly. However, you can use the Require env:
<Directory /var/www/files/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
SetEnvIF X-Forwarded-For "22.33.44.55" AllowIP
<RequireAny>
Require env AllowIP
Require valid-user
</RequireAny>
</Directory>
The source of the idea
At Apache 2.4+, if you also like to set a fixed username based on the IP block you could use AuthBasicFake directive together with runtime If directive.
This example with grant direct access to 22.33.44.55/32 and 66.77.88.99/32 and sets username demouser, all others must login.
<Location>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<If "-R '22.33.44.55/32' || -R '66.77.88.99/32'">
AuthBasicFake demouser
Require all granted
</If>
<Else>
Require valid-user
</Else>
</Location>
SetEnvIF X-Forwarded-For "192.168.135.159" AllowIP
SetEnvIF X-Forwarded-For "192.168.135.135" AllowIP
AuthType Basic
AuthName "admin"
AuthUserFile "/var/www/domain.com/cms/.htpasswd"
<RequireAll>
Require env AllowIP
require valid-user
</RequireAll>
İ also checked many variants. this code üorks with 2.4 version of apache 100%
I have set up a site that is currently work in progress. I'm using an external SMS gateway that needs access to a script on my server. However, I have set up a basic username and password authentication for regular users, but the SMS gateway can't get through that.
How can I allow a single IP to pass through the authentication without authenticating itself, and deny all other users that aren't authenticated?
Here's my .htaccess file:
Order allow,deny
Allow from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require user admin
Just found out, with help from JoseK:
Order deny,allow
Deny from all
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
require valid-user
Allow from 1.2.3.4
Satisfy Any
UPDATE: As of Apache 2.4, Order, Allow, Deny, and Satisfy directives should not be used anymore. So the new syntax is:
AuthType Basic
AuthUserFile /www/.site_htpasswd
AuthName "Protected Area"
<RequireAny>
Require ip 1.2.3.4
Require valid-user
</RequireAny>
Try changing first 2 lines to
Order deny,allow
Deny from all
Allow from 1.2.3.x
Replace your desired IP in the Allow from